Target IP: 10.10.164.252
Challenge Description: Enjoy the Anthem.
Running sudo nmap -sS 10.10.164.252 -Pn --top-ports=400 -g 80 shows there are only two TCP ports open on the target machine: HTTP and RDP, as shown above. The target machine is blocking the ICMP requests by default, so -Pn flag is used to bypass it.
The result above is returned after performing an aggressive scan against the two TCP open ports. I will start enumeration with the HTTP application on port 80.
Port 80: HTTP
The webpage above is shown for this web application. By the looks of it, there are two articles.
I checked if /robots.txt exists and it worked. The target machine returned the result shown above to me. The string UmbracoIsTheBest! looks interesting as it looks like a password. In the image above, there are hidden directories that are defined not to be crawled.
The article above is about the admin. Doing a Google search for the poem returns the name Solomon Grundy -- Is the admin's name? But what is the admin's email address?
I found a valid email address of the user Jane Doe: JD@anthem.com at http://10.10.164.252/archive/we-are-hiring/. What if the admin's email address is SG@anthem.com?
I used the credentials SG@anthem.com:UmbracoIsTheBest! against the login portal at http://10.10.164.252/umbraco/login.
And it worked! Now I have access to the CMS web application using the admin's credentials. I uploaded a webshell and I was unable to use it. The target seems to be running the application Umbraco version 7.15.4, but it is not vulnerable. Time to find other exploitation vectors.
Using the command xfreerdp /p:UmbracoIsTheBest! /u:sg /v:10.10.164.252 +clipboard /dynamic-resolution /drive:share,/tmp, I connected to the target machine via xfreerdp at port 3389 using SG as the username and UmbracoIsTheBest! as the password! Now I have a foothold on the target machine via RDP.
I browsed to the C:\ drive. I pressed the View options and ticked the Hidden items to display the hidden contents. Doing this reveals a hidden directory called backup, as shown above.
Browsing to this hidden directory backup contains one text file called restore. However, I am unable to view it. I overcame this by giving the current user enough permission to be able to read this file, as shown above. The steps I executed are listed below:
PropertiesSecurity and then AdvancedAddSelect a principalSG inside the object name, press Check Names, and click OKOKApply and then OK
After gaining enough permission, the file restore is readable and it contains the content shown above. Is the string ChangeMeBaby1MoreTime a password?
Running net user shows there is a Administrator user. I executed the command runas /u:administrator cmd and it requested me to enter the password of this user, as shown above.
And using the password ChangeMeBaby1MoreTime against the user Administrator works! It opens a new CMD with the shell as the user Administrator. as shown above. The root.txt flag is shown above.
The first flag is embedded at the source-code of /archive/we-are-hiring page, as shown above.
Viewing the source-code of http://10.10.164.252/ contains the second flag, as shown above. The third flag is THM{L0L_WH0_D15}. I forgot to obtain a screenshot.
The fourth flag is located at http://10.10.164.252/archive/a-cheers-to-our-it-department/ as shown above.
The fifth flag after gaining a foothold on the target machine. This flag is located at the Desktop.
The root.txt flag after gaining admin access on the target machine.